In general, according to the remarkable development of electronic control technology, various devices operating by using a mechanical method in a vehicle are driven by using an electric method for convenience of drivers and safety of operation, and a vehicle system is gradually enhanced and advanced. In particular, as the vehicle system is fully automated, communication between controllers inside a vehicle is also frequently performed. Controller area network (CAN) communication is generally used for communication inside the vehicle.
That is, an electronic control system inside the vehicle includes dozens of electronic control units such as an engine controller, a transmission controller, a brake controller, an airbag controller, etc. Also, each electronic controller includes a CAN controller for CAN communication, and communication between these electronic controllers uses CAN communication.
Basically, according to controller area network (CAN) protocol-based message communication, a network includes a plurality of nodes (or CAN controllers) and a common CAN bus. Each node transmits a message in a broadcast manner, and selects and receives a necessary message. That is, all CAN controllers (or nodes) transmit and receive messages using the common CAN bus. Also, each CAN controller (or node) transmits messages to be transmitted to all nodes on the network in a broadcast manner and provides its own arbitration function by a message identifier. Specifically, each node or CAN controller recognizes the message identifier, and filters and receives only a necessary message among broadcasted messages. That is, in CAN communication, there is no field capable of authenticating a transmission destination of a message in a data frame of the message.
However, as described above, since controller area network (CAN) communication performs transmission and reception using only the broadcasting method and the message identifier, there is a security risk inherent in a CAN protocol.
For example, since CAN communication transmits a message in a broadcast manner, when a malicious node is added to a CAN communication network, the malicious node may collect all the messages transmitted by other nodes. The malicious node may then use collected information to generate a fake message and transmit the fake message to the CAN communication network. Since there is no separate field for authenticating the transmissions destination in a data frame of a CAN communication message, the above-described spoofing attack is easily possible.
Also, when the arbitration function by the CAN message identifier is abused, a service denial attack is also easily possible. The arbitration function by an identifier is a function of assigning priorities to the respective identifiers and preferentially transmitting a message to which a priority has been assigned. An attacker (or the malicious node) collects messages on the CAN communication network and finds an identifier (ID) with the highest priority. Then, the attacker creates a fake message using the identifier and continuously transmits the message on the network. Because the fake message by the attacker has a high priority, other normal messages are not transmitted due to the arbitration function by the CAN message identifier. When this state continues, only a message of the attacker remains in the CAN communication network, resulting in a service denial situation where other normal messages are not be delivered.
In particular, in a vehicle electronic control system based on conventional CAN communication, high security vulnerability devices and security critical devices are connected to the same CAN bus. Therefore, there is a problem in that when high security vulnerability devices (telematics, AVN systems, etc.) are occupied by hackers due to a high connectivity to an external network, security critical devices (engine controllers, brake controllers, airbag controllers, etc.) are stolen, which may be an important security threat to the vehicle system.
In order to solve the above problem, there is proposed a technique of transmitting and receiving a message by exchanging encryption keys and encrypting the message only within a time window that is shared with each other [Patent Document 1]. Also, there is proposed a technique of transmitting and receiving a message by generating a secret key stream and encrypting the message using a symmetric key method [Patent Documents 2 and 3]. Also, there is proposed a technique of providing one-time password (OTP) ROM for generating an encryption key (Patent Document 4). There is proposed a technique of determining a hacking message using the periodicity of a message in CAN communication [Patent Document 5].
However, since the above prior art encrypts and transmits messages, there is a problem in that an operation for encrypting or decrypting messages must be performed, and an encryption key or a secret key must be generated or exchanged for encryption communication. Because a computation time is required for such an encryption operation, there is a problem in that transmission and reception time of messages may be delayed.